[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: full disclosure, or not?

also sprach Horst Pflugstaedt <Pfaedt@uni-duisburg.de> [2004.06.26.2155 +0200]:
> what would be the alternative?
> The security team would have to annonce "there's a possible security
> flaw in package XY, we're on it, but it may take some more days to fix
> it"
> What's the worth of such announcements? Users (You'd) know about a bug, but
> still could not do anything about it. After all, I'd strongly object
> to my web-host/ISP/Sys-Admin/... switching off
> apache/php/ssh/name-whatever-tool-you-really-need because they have heard of
> an yet unfixed security-problem. 

That's a thing of your webhoster. But if I knew of e.g. a root
exploit in the HTTP part of a mission-critical server containing
secret data, i want to turn it off, or take additional security
precautions, like a firewall layer etc.

not knowing about it doesn't mean that the "bad guys" don't know

Please do not CC me when replying to lists; I read them!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: